Game theory

Game theory has been perceived as natural way of modelling cyber security. Indeed, a game is a description of the strategic interaction between opposing, or co-operating, interests where the constraints and payoff for actions are taken into consideration [85]. Depending on the nature and amount of information held y each players locked in a play, a game can be perfect or imperfect, complete or incomplete, static or dynamic.

Perfect/ Imperfect game

A game is labelled perfect when all payers involved in the game are aware of the set of actions that an adversary player has already taken. Conversely, an imperfect game is one where at least one player does not know the next moves of an opponent.

Complete / Incomplete game

A complete game depict one where all the players are well accounted to the strategy of their adversary and their objectives. However, the set of actions that may be taken towards meeting such objectives may not be necessarily known. The distinction between a complete game and a perfect game resides in the fact that it does not take into account the actions each player have already taken [85].

By analogy, a game is said to be incomplete when at least when player is not aware of some of the strategy and objective of a certain layer.

Static game

A game is said to be static if no players can change his/her strategy during the course of the game. Generally speaking, a static game is considered as a one off game as each player plays up his/her strategy in one go without subsequent move left. A static game is an imperfect game by nature as no further information as what the next move of an adversary player will be.

Dynamic game

As opposed to a static game, players in the context of a dynamic game choose their strategies as the game is being unravelled

7.2.1 Game theoretic based approach to cyber-security

[86] have investigated the usefulness of game theory to capture information warfare. In the paper, the authors reviewed four different games before discussing how a dominant position can be achieved and maintained through the orchestration of an appropriate strategy. The first of such games involves two armies engaged in a military warfare, with one set to use its technological capability to disable the enemy’s Command, Control, Communication, and Intelligence (C3I) before the actual military offensives take place. The second example used by the authors concerns a cyber-attack on such critical infrastructure as nuclear and electricity power plants, telecommunication, water and gas, using DoS tools, virus and others worms. The ultimate aim of the attackers in this case is to wreak havoc and nurture fear, in the midst of the society. The third example discussed by the authors has great similarities to the previous one as it involves a terrorist attack on a number of business and

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 83 on 153

companies that may be key to the economy of a country. The successful launch of such an attack depends on attacker being able to gather information on the targets and also in determining the optimal timing for such an attack. The fourth and final example involves a dormant warfare which aims at collecting strategic information related to the economy and technology in view of hindering progress.

Having applied a game theory approach to these examples, the authors concluded that: 1. a bold strategy was required to force an enemy to believe that a player will not

accept any threats.

2. mixed strategies can mitigate the dominative position of the attacker, especially when any defence strategy is effective only against a specific attack strategy. Changing the defence strategy somehow randomly will increase the probability of mitigating attacks.

3. an attacker should overload a network only part of the time, so that the defender will not stop using a network completely.

4. Maintaining a dominating position requires the stronger player to limit the long term costs to the weaker party since this may otherwise lead to a rebellion leading to damages on both sides.

[84] have argued that a comprehensive grasp of an attacker’s intent, objectives and strategies (AIOS) is key to a successful risk assessment and harm prediction. Subsequently, the author proposed a game theoretic approach to inferring AIOS. A brute force DDoS attacks is used as a case study in the experiment conducted by the authors to demonstrate how attack strategies can be inferred in real-world attack defense scenarios. Some of the key findings of the authors are that the security and assurance of the system greatly depends on the appropriate selection of the game model. Furthermore, the effectiveness of the IDS and the correlation of the attack actions play a role in the determination of the best AIOS game models.

[85] adopt a game theoretical approach to the modelling of a DoS and DDoS in network systems. The precept of such initiative lies on the potential of game theory concepts to capture the realm of cyber security: that of two entities competing for contradictory pay offs. Indeed, a distributed denial of service is modelled as a two-player game in which the attacker attempts to find the most effective packet sending rate or botnet size, while the defender or network administrator is concerned with putting in place the best firewall setting to block unwanted traffics while allowing the legitimate traffics through. A DoS is represented with a single attacking node while multiple nodes are used in the context of a DDoS. In both cases, the authors assumed that the malicious nodes are operated by one attacker and that, two possible cases can be considered. The first of such cases considers the game as being static i.e. neither the administrator nor the attacker change their strategy during the course of the game. In this set up, the strategy of the attacker is confined to a couple of actions including: the selection of the malicious nodes, the sized of the botnet (m) to launch the (D)DoS and the set-up of the rate of malicious traffic (rA). Conversely, the defender or

network administrator can only change the mid-point (M) of the firewall which represents the rate of packet being dropped by the firewall.

The Nash equilibrium of this game is defined to be a pair of strategies (rA m, M), which

Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx

Final version Page 84 on 153

dynamic game makes it hard to actually compute the Nash equilibrium since the change in strategy by both players may result in a continuous shift of the latter. For instance, the authors highlighted that, an attacker A can think that if he/she sets rA low and m high during

the first few time steps, the defender D will set M to a low value, and then A can exploit it by setting rA high and m low in the next few time steps assuming that D does not change M.

A similar reasoning can be adopted by the defender based on assumption made about the attacker’ behaviour.

A Markov game approach to the assessment of risks is proposed by [83]. The authors argued that a comprehensive assessment of risk in network information systems should account of, not only the current, but also the future risks. The work of Xiaolin et al.(2008) is based on the extension of the relationship between threat, vulnerability and asset commonly used in the determination of a risk level. They noted that a vulnerability that remains unpatched can help in the spread of risk, while a risk can be considerably reduced if a prompt and decisive action is taken by the administrator. Subsequently, [83] proposed a game of where the threat and the vulnerability agents are represented as the players. Thus the threat agent increases the risk by through the action “threat spreading” and the vulnerability agent decreases the risk by through the action “system administrator’s repairing the vulnerability”. The ultimate aim of the game is to a get more comprehensive value of risk as well as giving enabling the system administrator to select the best system repair scheme.